Skip to main content

Netty CVE-2026-50020

| EUVD-2026-36468 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-06-12 GitHub_M GHSA-hvcg-qmg6-jm4c
Request Smuggling Information Disclosure Netty Red Hat Suse
5.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.4 MEDIUM

AC:H because desync requires a co-operating front-end that interprets control bytes differently; S:C because smuggling impacts other users' request integrity.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 17:01 EUVD
Source Code Evidence Fetched
Jun 12, 2026 - 16:33 vuln.today
Analysis Generated
Jun 12, 2026 - 16:33 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 344 maven packages depend on io.netty:netty-codec-http (32 direct, 312 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionCVE.org

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, HttpObjectDecoder skips every byte for which Character.isISOControl(b) is true (0x00-0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line - a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

AnalysisAI

HTTP request smuggling in Netty's HttpObjectDecoder (netty-codec-http) allows unauthenticated remote attackers to manipulate request-boundary parsing in pipelined or multiplexed deployments by injecting non-CRLF ISO control characters (NUL, SOH, STX, etc.) before the HTTP request-line. Affected are all Netty releases prior to 4.1.135.Final and 4.2.15.Final; both branches have vendor-confirmed patches. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Netty back-end behind HTTP proxy
Delivery
Craft request with NUL/control-byte prefix
Exploit
Front-end and Netty disagree on request boundary
Execution
Smuggled request prepended to victim's stream
Impact
Back-end processes attacker-controlled request as victim's
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a multi-tier HTTP deployment where a front-end intermediary (reverse proxy, CDN edge, load balancer) and the Netty back-end disagree on the interpretation of non-CRLF ISO control characters (0x00-0x1F excluding 0x0D/0x0A, and 0x7F) in the pre-request-line byte stream, specifically over HTTP/1.1 pipelined or HTTP/2-to-HTTP/1.1 multiplexed transports. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) captures network reachability and lack of authentication barriers, but the AC:L assignment appears optimistic: successful exploitation realistically requires a specific multi-tier deployment where a front-end component parses or strips the injected control bytes differently than Netty does - a condition more accurately reflected by AC:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a deployment where a front-end reverse proxy (e.g., nginx or HAProxy) forwards pipelined HTTP/1.1 connections to a Netty-based back-end crafts a request that embeds NUL or other ISO control bytes immediately before the HTTP method token. The front-end treats those bytes as request delimiters or ignores them at the connection level, while Netty's HttpObjectDecoder silently discards them and parses what follows as a new request from the attacker. …
Remediation Upgrade netty-codec-http to 4.1.135.Final (4.1.x users) or 4.2.15.Final (4.2.x users); both are confirmed patched releases per the vendor release notes at https://github.com/netty/netty/releases/tag/netty-4.1.135.Final and https://github.com/netty/netty/releases/tag/netty-4.2.15.Final. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48748 HIGH POC
7.5 Jun 12

Denial of service in the Netty HTTP/3 codec (io.netty:netty-codec-http3) prior to version 4.2.15.Final allows remote una
CVE-2026-50010 HIGH
7.5 Jun 12

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuild
CVE-2026-50011 HIGH POC
7.5 Jun 12

Denial of service in Netty's io.netty:netty-codec-redis component (prior to 4.1.135.Final and 4.2.15.Final) allows remot
CVE-2026-50560 MEDIUM POC
6.9 Jun 12

Netty's HTTP/2 codec mishandles the SETTINGS_MAX_HEADER_LIST_SIZE client setting, enabling a denial-of-service attack fu
CVE-2026-50009 MEDIUM
4.8 Jun 12

Stateless reset token leakage in Netty's QUIC codec (io.netty:netty-codec-classes-quic prior to 4.2.15.Final) enables an

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-50020 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy